Security, et al

Patch management is mostly a workstation issue right now

Fri, 05 May 2006 17:32:05 GMT

Yesterday, Microsoft gave its monthly advance notification of security bulletins ahead of this coming Patch Tuesday. There are 2 new vulnerabilities in Windows and I bet you they are workstation-centric.

Have you noticed what I’ve noticed? The majority of Microsoft security updates these days are workstation-centric.

By a workstation-centric security update I mean the patch applies to a program normally executed on workstations (as opposed to servers) or involves interactive activities normally performed by users at workstations such as web browsing, working with document files and reading email.

At first blush that might seem good since we typically view servers as more critical than workstations. But there are at least 3 reasons why workstation vulnerabilities may be just as much a nuisance as server vulnerabilities.

1. Patch deployment effort. There are more workstations than servers. Ergo, more work deploying patches.

Furthermore, many of your workstations are mobile and it’s more complicated if not impossible to reach out to those systems and patch them.

2. Work-arounds exist for many security vulnerabilities but expecting users to follow them isn’t realistic.

You might be able to trust professional IT server administrators to follow work around procedures to avoid exposure to an unpatched vulnerability but you can’t count on end users.

3. Most importantly, workstations are critical to security.

If you can take over a workstation you can become the user who logs on at that workstation and access the same network resources and applications to which the legitimate user has access.

I don’t see this trend of workstation vulnerabilities going away anytime soon so we might as well fine tune our workstation patch management process. It will be interesting to see how well Vista and IE7 combat this trend.